DSL/ethernet network perf problem with pf
- From: Patrick Proniewski <patpro@xxxxxxxxxx>
- Date: Mon, 30 Jul 2007 09:56:02 +0200
Hello,
I'm running a FreeBSD 6.2 on a Tyan motherboard. The board has 3 ethernet ports (fpx0, em0, em1). It uses `pf` to share/protect an internet access over xDSL plugged in fxp0 to 2 LANs on em0/1.
When pf is loaded, my transfert rate for a file on the internet reaches about 150-200 KB/s max, but I can download 2 or 3 files each at 120-150 KB/s at the same time.
If i disable pf (by unloading the kernel module), my transfert rate jumps to 650-700 KB/s
Here is my pf.conf :
# macros
int_if = "em0"
int_if_sec = "em1"
ext_if = "fxp0"
wif_if = "ath0"
tcp_services = "{ 22, 113, 80, 443, 25, 53, 554 }"
udp_services = "{ 53 }"
admin_tcp_services = "{ 311, 625, 5900, 5988 }"
admin_udp_services = "{ 3283 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }"
# Tables: similar to macros, but more flexible for many addresses.
table <admin_nets> persist { --some ip's-- }
table <friends> persist { --some ip's-- }
table <spammers> persist file "/etc/pf.liste_ip_spamer"
table <sshscan> persist file "/etc/pf.liste_ip_ssh_scan"
table <webspam> persist file "/etc/pf.liste_ip_webspam"
table <openarena> persist { --some ip's-- }
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $int_if_sec:network to any -> ($ext_if)
# filter rules
block log all
block in log quick proto tcp from <spammers> to any port smtp
block in log quick proto tcp from <sshscan> to any port ssh
block in log quick proto tcp from <webspam> to any port http
pass quick on lo0 all
block drop in log quick on $ext_if from $priv_nets to any
block drop out log quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services keep state
##### admin
pass in log on $ext_if inet proto tcp from { <admin_nets>, <friends> } to { ($ext_if), 192.168.0.2 } port $admin_tcp_services flags S/SA keep state
pass in log on $ext_if inet proto udp from { <admin_nets>, <friends> } to { ($ext_if), 192.168.0.2 } port $admin_udp_services keep state
##### friends
#pass in log on $ext_if inet proto tcp from <friends> to ($ext_if) flags S/SA keep state
#pass in log on $ext_if inet proto udp from <friends> to ($ext_if) keep state
##### OpenArena
pass in on $ext_if inet proto tcp from <openarena> to ($ext_if) port 56789 flags S/SA keep state
pass in on $ext_if inet proto udp from <openarena> to ($ext_if) port 56789 keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass in on $int_if_sec from $int_if_sec:network to any keep state
pass out on $int_if_sec from any to $int_if_sec:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
any idea how I can reach 650-700 KB/s with pf enabled ?
regards,
patpro
_______________________________________________
freebsd-performance@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-performance
To unsubscribe, send any mail to "freebsd-performance-unsubscribe@xxxxxxxxxxx"
- Prev by Date: DSL/ethernet network perf problem with pf
- Previous by thread: DSL/ethernet network perf problem with pf
- Index(es):
Relevant Pages
|
|
